Analysis Overview
SHA256
1643f09345a88923f4d9fdb38bcec093b7f9a58a17f3dd2e15077fc159f830a1
Threat Level: Known bad
The file 0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 05:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 05:14
Reported
2024-06-25 05:17
Platform
win7-20240611-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Secure.exe'"
C:\Users\Admin\AppData\Local\Temp\Secure.exe
"C:\Users\Admin\AppData\Local\Temp\Secure.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp |
Files
memory/2224-0-0x000007FEF5453000-0x000007FEF5454000-memory.dmp
memory/2224-1-0x00000000001E0000-0x00000000001F6000-memory.dmp
memory/2224-2-0x0000000000270000-0x000000000027A000-memory.dmp
memory/2224-3-0x0000000000590000-0x000000000059C000-memory.dmp
memory/2224-4-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Secure.exe
| MD5 | 0cb9b66451ba728bd3edf2e34404289d |
| SHA1 | e2c2472aca5fe1cf9716b60e871a73ebabcca6a5 |
| SHA256 | 1643f09345a88923f4d9fdb38bcec093b7f9a58a17f3dd2e15077fc159f830a1 |
| SHA512 | d69d6b091d50d7953dd259609a7ff1818830df19e8a466ea368df29d526e6d79319f2e911c77025c53b52bdcebeec8b71cb9506e127fbb0b6819220bcd6f61e3 |
memory/1996-10-0x0000000000D20000-0x0000000000D36000-memory.dmp
memory/1996-11-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp
memory/1996-12-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp
memory/2224-13-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp
memory/1996-14-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 05:14
Reported
2024-06-25 05:17
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Secure.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2908 wrote to memory of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2908 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Secure.exe |
| PID 2908 wrote to memory of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Secure.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cb9b66451ba728bd3edf2e34404289d_JaffaCakes118.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Secure.exe'"
C:\Users\Admin\AppData\Local\Temp\Secure.exe
"C:\Users\Admin\AppData\Local\Temp\Secure.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| DE | 193.161.193.99:27942 | tcp | |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
memory/2908-0-0x00007FF84DF63000-0x00007FF84DF65000-memory.dmp
memory/2908-1-0x0000000000040000-0x0000000000056000-memory.dmp
memory/2908-2-0x0000000000900000-0x000000000090A000-memory.dmp
memory/2908-3-0x0000000000930000-0x000000000093C000-memory.dmp
memory/2908-4-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Secure.exe
| MD5 | 0cb9b66451ba728bd3edf2e34404289d |
| SHA1 | e2c2472aca5fe1cf9716b60e871a73ebabcca6a5 |
| SHA256 | 1643f09345a88923f4d9fdb38bcec093b7f9a58a17f3dd2e15077fc159f830a1 |
| SHA512 | d69d6b091d50d7953dd259609a7ff1818830df19e8a466ea368df29d526e6d79319f2e911c77025c53b52bdcebeec8b71cb9506e127fbb0b6819220bcd6f61e3 |
memory/2908-17-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp
memory/568-18-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp
memory/568-19-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp
memory/568-20-0x00007FF84DF60000-0x00007FF84EA21000-memory.dmp